The remote Redhat Enterprise Linux 9 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - nodejs: integrity checks according to policies can be circumvented (CVE-2023-38552)

  - Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The     injected code may be able to access data and functions that the WebAssembly module itself does not have     access to, similar to as if the WebAssembly module was a JavaScript module. This vulnerability affects     users of any active release line of Node.js. The vulnerable feature is only available if Node.js is     started with the `--experimental-wasm-modules` command line option. (CVE-2023-39333)

  - Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already     cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design,     `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in     browser environments. Since undici handles headers more liberally than the spec, there was a disconnect     from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to     accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection     target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version     5.26.2. There are no known workarounds. (CVE-2023-45143)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

Detections

Analytics

RHEL 9 : nodejs (Unpatched Vulnerability)

high Nessus Plugin ID 202280

Version 1.2

Version 1.1

Version 1.2 Sep 27, 2024, 3:23 AM CVSS metrics ("Cvssv4 score" set to 0.0) CVSSv2 severity (based on None, severity decreased from "High" to "Low") Plugin metadata Plugin Feed: 202409270323
Version 1.1 Jul 12, 2024, 10:18 PM New Plugin Feed: 202407122218